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Detailed Action 

This Office Action is response to tine application (10749502) filed on 31 December 
2003. 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114. including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 7 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 1/18/08 
has been entered. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a), which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 1 02 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to 
a person having ordinary skill In the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner In which the Invention was made. 

Claims 1-2. 4 are rejected under 35 U.S.C. 103(a) as being unpatentable over Porras 
U.S. Patent Application Publication No. US 2003/0212903 in view of Gupta U.S. Patent 
No. US 7,234,168 further in view of Ishikawa U.S Patent app. No. US 2007/0079367. 
Regarding claims 1 and 4, Porras teaches wherein a method for detecting abnormal 
traffic at the network level using a statistical analysis, the method comprising the steps 
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of: 

a) gathering local traffic data from each network device and integrating a plurality 
of the local traffic data to generate traffic data in the network level_(Fig. 1, unit 12a -12c 
indicating the integrated of different domains in a networit); 

b) extracting a characteristic traffic data based on the traffic data in the network 
level (characteristic data forms from the header of the packet [0032]); 

c) comparing the characteristic traffic data with a characteristic traffic data profile 
resulting from statistical computations and representing normal traffic (Fig. 5, unit 78 
(compare one of the short-term profiles to a corresponding long-term statistical 
profile), and determining whether there is abnormal traffic in the network (Fig. 4, unit 
70 (Determine if statistical profile is abnormal); 

d) updating the characteristic traffic data profile using the characteristic traffic 
data if there is no abnormal traffic in the network, analyzing volume amount_of the 
abnormal traffic and monitoring the abnormal traffic if there is abnormal traffic in the 
network (the monitor can respond by reporting (updating) the activity (i.e. 
seriousness of the abnormal traffic like privilege network errors and abnormal 
levels of the network level) to another monitor or by executing a countermeasure 
response [0071]). 

With respect to claims 1 and 4, Porras teaches the invention set forth above 
except for the claimed "a single traffic sensing module". 

Gupta teaches that is well known to have traffic sensing module (Fig. 2, unit 52 
- Sensor Management Module). 
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e) transmitting the analysis result of the seriousness of the abnormal traffic to an 
abnormal traffic processing system (the overall volume of discarded packets as well 
as a measure analyzing the disposition of the discarded packets (abnormal 
packet) can provide insight into unintentionally malformed packets resulting from 
poor line quality or internal errors in neighboring hosts [0076]). 

However, Gupta is silent in terms of "to detect abnormal traffic without operation 
of a network manager, and processing tlie abnormal traffic to prevent a network failure." 

Ishikawa teaches wherein to detect abnormal traffic without operation of a 
network manager (abnormal traffic patterns - [0041]), and processing the abnormal 
traffic to prevent a network failure (the traffic analyzer 30 instructs the switching 
device 18 to cease announcing the server network address to the offending 
network -[0041]). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify Porras's invention by utilizing a network security sensors 
and distributed network security sensor architectures used to implement intrusion 
detection and protection. In addition, a sensor management system is associated with a 
sensor or set of sensors. The sensor management system provides supervisory control 
of a sensor. The sensor management system may be used to implement a shared- 
resource virtual intrusion detection system, as discussed below. A single sensor 
management system may be used to control multiple sets of primary sensors and 
redundant sensors. The combination of the sensor, redundant sensor, and sensor 
management system is referred to as a local sensor security module. Furthermore, as 
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it's disclosed the local sensor security modules may be distributed throughout a 
network. In this example, local sensor security modules 27_1 through 27_N are 
positioned between an enterprise network and Internet service providers 28_1 through 
28_N. In addition, a local sensor security module 27_0 is positioned between the 
enterprise network and a protected server, as taught by Gupta. 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify Porras's invention by utilizing the attempts to eliminate 
fraudulent requests to a server, or its firewall, are limited to blocking the source address, 
and preventing repeated requests to respond to one address via blocking the request. 
Although these mechanisms can prevent fraudulent requests from being sent to, or 
received by, the server, to prevent the transmission of requests from the suspected 
traffic, the network device receiving the requests, such as, the routers or firewall, must 
review each incoming packet. Thus, although these requests can be identified, the 
identification of these requests require that the network device, such as, the router or 
firewall, look at each incoming packet to determine whether to block the transmission. 
As such, these solutions do not prevent the stifling of traffic flow and often still result in 
the router, firewall or server from being paralyzed as the problem is merely shifted 
between the devices within the network. Furthermore, detection system utilizes an 
activity monitoring system which monitors network devices, such as routers and 
firewalls, and determines whether abnormal activity or traffic patterns are 
emerging on the devices. If a determination is made that abnormal activity or 
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abnormal traffic patterns exist, the activity monitoring system responds by 
blocking the activity or redirecting the traffic, as taught by Ishikawa. 

Regarding claim 2, Porras Gupta and Ishikawa together taught the method as in 
claims 1 & 4 above. Porras further teaches wherein the characteristic traffic data 
includes: 

information on traffic assigned to an application port which is selected according 
to an application service (TCP port identifier [0036]); 

information on traffic of which packet size is identical (networit measures 
number of pacltets and number of Icilobytes [0037]); and 

information on traffic of which the number of source-destination pairs, which 
represents the number of source addresses of the traffic having the same target 
address (categorical measures including the network source and destination 
address [0036], packet source addresses and destination addresses match is 
given internal host [0033]). 



Application/Control Number: 10/749,502 Page 7 

Art Unit: 2146 

Response to Arguments 

Applicant's arguments with respect to claim1-2, 4 liave been considered but are moot 
in view of the new ground(s) of rejection. 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Sulaiman Nooristany whose telephone number is (571) 
270-1929. The examiner can normally be reached on M-F from 9 to 5. If attempts to 
reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, 
can be reached on (571 ) 272-6798. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. Information regarding the 
status of an application may be obtained from the Patent Application Information 
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Retrieval (PAIR) system. Status information for published applications may be obtained 
from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the 
PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to 
the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217- 
9197 (toll-free). Sulaiman Nooristany 06/07/2008 



/Joseph E. Avellino/ 

Primary Examiner, Art Unit 2146 



